GDPR: A Guide for Internal Communicators – ContactMonkey Help Center

The General Data Protection Regulation (GDPR) is the EU's comprehensive data protection law — and unlike CAN-SPAM or CASL, it applies fully to employee personal data, not just external recipients. If your organization has any EU-based employees, GDPR governs how you communicate with them and track their engagement.

What GDPR Is

GDPR came into effect on May 25, 2018, and is enforced by data protection authorities in each EU member state. Unlike CAN-SPAM or CASL, GDPR is not just an email law — it governs how organizations collect, store, use, share, and delete personal data of any kind, including the data of your own employees.

GDPR applies whenever you process the personal data of an EU resident, regardless of where your organization is based.

What GDPR Requires

GDPR is built around seven core principles for handling personal data:

Lawful basis — every use of personal data needs a legal basis (for employee comms, usually "legitimate interest" or "contract").
Transparency — employees must know what you collect, why, and for how long.
Purpose limitation — data collected for one reason can't be reused for an unrelated one.
Data minimization — collect only what you need.
Accuracy — keep data up to date.
Storage limitation — don't keep data longer than necessary.
Security — protect data with appropriate technical and organizational measures.

GDPR also creates data subject rights — including access, correction, deletion, and objection. Employees can exercise these against their employer, and you must respond within one month.

What Counts as "Personal Data" for Internal Comms

GDPR's definition is broad. For internal comms teams, personal data includes employee email addresses and names, job titles and reporting lines used for list segmentation, IP addresses and device identifiers captured during email opens, individual open and click data, and survey responses tied to a named employee. Tracking which employees opened the CEO's town hall invite creates personal data that needs a lawful basis.

Common Edge Cases for Internal Communicators

Individual-level engagement tracking of EU employees, especially when results could be tied to performance reviews
Pre-boarding comms to new hires before their employment contract starts (no contractual basis yet)
Off-boarding and alumni comms to former EU employees (lawful basis often disappears at exit)
Cross-border data transfers when your sending infrastructure lives outside the EU/UK
Data subject access requests from employees asking what engagement data you hold on them

Penalties

GDPR fines are tiered:

Serious violations — up to €20 million or 4% of global annual turnover, whichever is higher. Applies to breaches of core principles, data subject rights, and unlawful processing.
Procedural violations — up to €10 million or 2% of global annual turnover, whichever is higher.

Since enforcement began in 2018, GDPR fines have totaled more than €7.1 billion across over 2,200 documented penalties.

How ContactMonkey Helps

GDPR-friendly tracking option anonymizes engagement data after delivery, giving you aggregate metrics without creating individual-level personal data for EU employees.
External Sending Governance limits where employee data can be sent, reducing the surface area for unauthorized exposure of EU staff details.
HRIS-controlled sync means you decide which employee records and fields flow into ContactMonkey, supporting the GDPR principle of data minimization at the source.

The GDPR tracking option combined with External Sending Governance is the strongest combination for organizations with EU employees.

This article is for educational purposes only and does not constitute legal advice. Consult qualified EU data protection counsel for advice on your organization's program.

Related articles: